Verify Files with PowerShell Get-FileHash (and Check a Whole Folder)
Get-FileHash is the fastest way to verify a single file on Windows. Here's how to hash, compare, and verify downloads from PowerShell — and how to scale past a per-file loop when you need to check an entire folder, repeatably.
Founder of ARCED Foundation, ARCED International, and Solutions of Things Lab (SoTLab). Built FolderManifest to help teams protect file integrity and stay audit-ready.
Quick answer
To verify a file in PowerShell, run Get-FileHash "C:\Downloads\app.zip" — it returns the SHA-256 hash by default. To confirm a download, compare it to the published value with (Get-FileHash .\app.zip).Hash -eq 'EXPECTED' (case-insensitive, returns True). Get-FileHash hashes one file at a time; to verify a whole folder repeatably, generate a manifest baseline once and verify against it.
- →
Get-FileHash file→ SHA-256 by default; add-Algorithm MD5to switch. - →Compare with
-eq— it's case-insensitive, so paste any-case hashes. - →Folders need a loop — and a loop has no baseline and no diff.
- →A manifest fixes that: one
verifycall, one pass/fail exit code.
Hash a single file
Get-FileHash ships with every modern Windows PowerShell — nothing to install. Point it at a file and it returns the algorithm, the hash, and the path:
Get-FileHash "C:\Downloads\app.zip"
Algorithm Hash Path
--------- ---- ----
SHA256 9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08 C:\Downloads\app.zipSHA-256 is the default. To use a different algorithm, pass -Algorithm — the supported values are SHA1, SHA256, SHA384, SHA512, and MD5:
Get-FileHash "C:\Downloads\app.zip" -Algorithm MD5Want just the hash string, with no table? Reach into the object's .Hash property:
(Get-FileHash "C:\Downloads\app.zip").HashVerify a download against a published checksum
This is the everyday job: a project lists a SHA-256 next to its installer, and you want to confirm the file you got matches. Compare the computed hash to the published one with -eq:
(Get-FileHash ".\app.zip").Hash -eq '9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08'
TrueTrue means the file is intact. PowerShell's string -eq is case-insensitive, so it doesn't matter whether the site published the hash in upper or lower case. If you get False, the usual culprits are a partial download, the wrong algorithm, or stray whitespace pasted with the expected value.
Compare two files by hash
To prove two files are byte-for-byte identical — a copy versus its original, say — hash both and compare. This is far more trustworthy than matching size or modified date, which can agree even when the bytes differ:
(Get-FileHash "D:\backup\report.pdf").Hash -eq (Get-FileHash "C:\work\report.pdf").Hash
TrueNeed to do this without a terminal, or for someone who doesn't live in PowerShell? Our free Compare Files tool does the same check in the browser, and the checksum calculator hashes a single file on the spot.
The certutil alternative (Command Prompt)
If you're in cmd.exe rather than PowerShell, certutil computes the same hashes. It's been in Windows for years and needs no PowerShell session:
certutil -hashfile "C:\Downloads\app.zip" SHA256
SHA256 hash of C:\Downloads\app.zip:
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
CertUtil: -hashfile command completed successfully.Same hash, different tool. certutil prints the digest in lower case and adds two status lines, so it's a little harder to script around than Get-FileHash's clean object — but for a quick manual check it's perfectly fine.
Hashing a whole folder
Get-FileHash only hashes files you name, but it accepts pipeline input — so you can feed it a recursive listing and get a hash for every file under a folder:
Get-ChildItem "C:\Project" -Recurse -File | Get-FileHash -Algorithm SHA256 |
Select-Object Hash, PathThat prints a hash per file. You can even save it to a CSV to keep a record:
Get-ChildItem "C:\Project" -Recurse -File | Get-FileHash |
Export-Csv "C:\baselines\project-hashes.csv" -NoTypeInformationWhere the one-liner stops being enough
The folder loop works, but the moment you want to verify a folder rather than just list hashes, the gaps show up fast:
- ·No diff. Two CSV dumps don't tell you what changed. You'd have to script the comparison — and handle files that were added or deleted, not just modified.
- ·No clean pass/fail. A scheduled task wants one exit code that says "unchanged" or "something moved." A hash dump gives you neither.
- ·No report. When something has changed, you want a readable record of exactly which files — not a diff of two spreadsheets.
- ·It's slow to maintain. Paths with spaces, long-path limits, and re-hashing unchanged files all become your problem.
At that point you've started writing a folder-verification tool in PowerShell. That's the line where a purpose-built manifest pays off.
Verify whole folders, repeatably
The FolderManifest CLI turns the folder case into two commands. Capture a SHA-256 baseline of the folder once, when you know it's good:
foldermanifest generate "C:\Project" --format json --out project-baselineThen verify against that baseline any time — by hand, or from a scheduled task. It exits 0 when the folder matches and 1 when any file was added, removed, or modified, so it drops straight into a script:
foldermanifest verify "C:\Project" --manifest project-baseline.json
if ($LASTEXITCODE -eq 0) { "OK: unchanged" } else { "DRIFT: review the report" }That's the whole difference: Get-FileHash answers "is this file intact right now?", while a manifest answers "is this whole folder exactly as I left it?" — with a diff, a report, and a single exit code you can schedule. To put it on a timer, see automating folder verification with Task Scheduler, and for the hash trade-offs behind all of this, read MD5 vs SHA-256.
From one file to the whole folder
The FolderManifest CLI ships inside the desktop app on Windows and Linux — included with the 7-day trial and every lifetime license. Hash one file in PowerShell; verify the whole folder with one command.
Frequently asked questions
Related: MD5 vs SHA-256 · sha256sum & md5sum on Linux · Automate folder verification